The British Government has been accused of placing public data at risk, after the National Audit Office (NAO) discovered that 70 percent of Government departments do not check that data has been wiped from old computer equipment.
NAO, the public spending watchdog, found that while departments had a good level of awareness of the legislative requirements in this area, the majority of public bodies had no oversight of the data wiping standards and approaches being used in practice by their disposal agents.
“We found that 90 percent of public bodies told us data was wiped on old machines, with 70 percent of departments saying data was wiped in accordance with current guidelines,” said Daniel Varey, senior business analyst at the NAO.
But 70 percent of government departments were failing to obtain evidence that data wiping had been carried out.
“We say in our recommendations that where organisations are using a third-party they need to increase their oversight to ensure that data is being wiped,” Varey told Techworld.
“The oversight of the entire disposal chain is our key message in this report,” said Varey. “What has not happened is enough joined up thinking across government to manage and dispose of ICT equipment.”
According to mobile encryption specialist SafeBoot, this cavalier approach to obtaining proof that data is being wiped will eventually lead to disaster.
“The public sector needs to put strict security policies in place immediately to mitigate this risk,” said Tom de Jongh, product manager at SafeBoot. “Last week’s USB theft at Nottingham hospital and last month’s Newcastle City Council credit card gaffe show how real the risks are and it is the Government’s duty to ensure that any and all information pertaining to the electorate is kept secure.”
The whole point about data security is about knowing how the policy is implemented says de Jongh, who recommends that all public data should be encrypted with proper authentication procedures. “Europe is currently lagging behind the United States, where it is not allowed to have customer data without encryption.”
“Encryption secures data during the lifetime of the device,” de Jongh said. “It is better to encrypt at the front so you don’t need all the sophisticated disposal mechanisms at the end [of the life of the machine].”
The NAO study also discovered that on average, public bodies replace their ICT equipment at around five years, instead of the usual three years at commercial organisations. The NAO believes that public bodies could generate significant savings through reduced operating costs and improved resale values, if they mirrored commercial companies in this regard and refreshed their equipment every three years, although it conceded that further effort was needed in order to identify the optimal refreshment time.
The volume of public ICT equipment is also set to rise. UK public bodies spent £2.7 billion in 2005-06 to acquire 1.7 million units of ICT equipment (85 percent of which were computers and monitors). Yet this number is forecast to increase to 2.6 million units by 2010-11, costing the tax payer £4.1 billion.